 # Lecture 12

Oct 23, 2014

## Documents

#### block cipher

Lecture 12: Public-Key Cryptography and RSA Lecture Notes on Computer and Network Security by Avi Kak ([email protected])April 24, 20124:40pm c 2012 Avinash Kak, Purdue University

Goals: To review public-key cryptography To demonstrate that condentiality and sender-authentication can be achieved simultaneously with public-key cryptography To review the Rivest-Shamir-Adleman (RSA) algorithm for public-key cryptography To present the proof of the RSA algorithm To go over the computational issues related to RSA. To discuss the security of RSA1

CONTENTSSection Title Page

12.1 12.2

Public-Key Cryptography The Rivest-Shamir-Adleman (RSA) Algorithm for Public-Key Cryptography The Basic Idea

3 8

12.2.1 The RSA Algorithm Putting to Use the Basic Idea 12.2.2 How to Choose the Modulus for the RSA Algorithm 12.2.3 Proof of the RSA Algorithm 12.3 Computational Steps for Key Generation in RSA Cryptography

11 13 16 20

12.3.1 Computational Steps for Selecting the Primes p and q in RSA Cryptography 12.3.2 Choosing a Value for the Public Exponent e 12.3.3 Calculating the Private Exponent d 12.4 A Toy Example That Illustrates How to Set n, e, and d for a Block Cipher Application of RSA Modular Exponentiation for Encryption and Decryption

21 23 26 28

12.5

33

12.5.1 An Algorithm for Modular Exponentiation 12.6 12.7 12.8 12.9 12.10 The Security of RSA Factorization of Large Numbers: The Old RSA Factoring Challenge The RSA Algorithm: Some Operational Details RSA: In Summary .... Homework Problems

36 41 53 60 66 68

12.1:

PUBLIC-KEY CRYPTOGRAPHY

Public-key cryptography is also known as asymmetric-key cryptography.

Encryption and decryption is carried out using two dierent keys. The two keys in such a key pair are referred to as the public key and the private key. (As we will see, this solves one of the most vexing problems associated with symmetric-key cryptography the problem of key distribution).

With public key cryptography, all parties interested in secure communications can publish their public keys.

Party A, if wanting to communicate condentially with party B, can encrypt a message using Bs publicly available key. Such a communication would only be decipherable by B as only B would have access to the corresponding private key. This is illustrated by the top communication link in Figure 1 on page 5.

3

Party A, if wanting to send an authenticated message to party B, would encrypt the message with As own private key. Since this message would only be decipherable with As public key, that would establish the authenticity of the message meaning that A was indeed the source of the message. This is illustrated by the middle communication link in Figure 1 on page 5.

The communication link at the bottom of Figure 1 shows how public-key encryption can be used to provide both condentiality and authentication at the same time. Note again that condentiality means that we want to protect a message from eavesdroppers and authentication means that the recipient needs a guarantee as to the identity of the sender.

In Figure 1, As public and private keys are designated P UA and P RA. Bs public and private keys are designated P UB and P RB .

As shown at the bottom of Figure 1, lets say that A wants to send a message M to B with both authentication and condentiality. The processing steps undertaken by A to convert M into its encrypted form C that can be placed on the wire are: C = E (P UB , E (P RA, M ))4

where E() stands for encryption. The processing steps undertaken by B to recover M from C are M = D (P UA, D (P RB , C))

where D() stands for decryption.

The sender A encrypting his/her message with its own private key P RA provides authentication. This step constitutes A putting his/her digital signature on the message. Instead of applying theprivate key to the entire message, a sender may also sign a message by applying his/her private key to just a small block of data that is derived from the message to be sent.

The sender A further encrypting his/her message with the receivers public key P UB provides condentiality.

Of course, the price paid for achieving condentiality and authentication at the same time is that now the message must be processed four times in all for encryption/decryption. The message goes through two encryptions at the senders place and two decryptions at the receivers place. Each of these four steps involves separately the computationally complex public-key algorithm.5

IMPORTANT: Note that public-key cryptography does not make obsolete the more traditional symmetric-key cryptography. Because of the greater computational overhead associated with public-key crypto-systems, symmetric-key systems continue to be widely used for content encryption. However, it is generally agreed that public-key encryption is indispensable for key management, for distributing the keys needed for the more traditional symmetric key encryption/decryption of the content, for digital signature applications, etc.

6

Party A wants to send a message to Party BWhen only confidentiality is needed: Party AAs private key PR A As public key PUA Bs public key PUB PRB

Party BBs private key

Message

Message

Encrypt with PU B

Decrypt with PR

B

When only authentication is needed: Party AAs private key PR A As public key PUA Bs public key PUB PR B

Party BBs private key

Message

Message

Encrypt with PR A

Decrypt with PU A

When both confidentiality and authentication are needed: Party AAs private key PR A As public key PUA Bs public key PUB PRB

Party BBs private key

Message

Message

Encrypt with PR A

Encrypt with PU B

Decrypt with PRB

Decrypt with PUA

7

Figure 1: This gure is from Lecture 12 of Computer and Network Security by Avi Kak

12.2:

THE RIVEST-SHAMIR-ADLEMAN (RSA) ALGORITHM FOR PUBLIC-KEY CRYPTOGRAPHY THE BASIC IDEA

The RSA algorithm named after Ron Rivest, Adi Shamir, and Leonard Adleman is based on a property of positive integers that we describe below.

When n satises a certain property to be described later, in arithmetic operations modulo n, the exponents behave modulo the totient (n) of n. [See Section 11.3 of Lecture 11 for the denition of the totient of a number.] For example, consider arithmetic modulo 15. We have (15) = 8 for the totient. You can easily verify the following:

57 54 mod 15 = 5(7+4) mod 8 mod 15 = 53 mod 15 = 125 mod 15 = 5 (43)5 mod 15 = 4(35) mod 8 mod 15 = 47 mod 15 = 4

Again considering arithmetic modulo n, lets say that e is an integer that is coprime to the totient (n) of n. Further, say that8

d is the multiplicative inverse of e modulo (n). These denitions of the various symbols are listed below for convenience: n (n) e = = = a modulus f or modular arithmetic the totient of n an integer that is relatively prime to (n) [T his guarantees that e will possess a multiplicative inverse modulo (n)] an integer that is the multiplicative inverse of e modulo (n)

d

=

Now suppose we are given an integer M , M < n, that represents our message, then we can transform M into another integer C that will represent our ciphertext by the following modulo exponentiation: C = M e mod n

At this point, it may seem rather strange that we would want to represent any arbitrary plaintext message by an integer. But, it is really not that strange. Lets say you want a block cipher that9

encrypts 1024 bit blocks at a time. Every plaintext block can now be thought of as an integer M of value 0 M 21024 1.

As you will soon see, we can recover M back from C by the following modulo operation M = C d mod n

10

12.2.1:

The RSA Algorithm Putting to Use the Basic Idea

The basic idea described in the previous subsection can be used to create a condential communication channel in the manner described here.

An individual A who wishes to receive messages condentially will use the pair of integers {e, n} as his/her public key. At the same time, this individual can use the pair of integers {d, n} as the private key. The denitions of n, e, and d are as in the previous subsection.

Another party B wishing to send a message M to A condentially will encrypt M using As public key {e, n} to create ciphertext C. Subsequently, only A will be able to decrypt C using his/her private key {d, n}.

If the plaintext message M is too long, B may choose to use RSA as a block cipher for encrypting the message meant for A. As explained by our toy example in Section 12.4, when RSA is used as a block cipher, the block size is likely to be half the number of11

bits required to represent the modulus n. If the modulus required, say, 1024 bits for its representation, message encryption would be based on 512-bit blocks. [While, in principle, RSA can certainly be used as ablock cipher, in practice it is more likely to be used just for exchanging a secret session key and, subsequently, the session key used for content encryption using symmetric-key cryptography based on, say, AES.]

The important theoretical question here is as to what conditions if any must be satised by the modulus n for this M C M transformation to work?

12

12.2.2:

How to Choose the Modulus for the RSA Algorithm

With the denitions of d and e as presented in Section 12.2, the modulus n must be selected in such a manner that the following is guaranteed: M e )d M ed M (mod n)

We want this guarantee because C = M e mod m is the encrypted form of the message integer